It can be tricky to protect your WordPress site from attacks. However, there are a few principles and tricks you can apply that are relatively easy to implement.
Disclosure: Some of the links in this post are ‘affiliate links.’ This means if you click on the link and make a purchase, I will receive an affiliate commission.
If you are hacked, you could lose your work, your users’ data, or some of your income. You could also be downgraded or blacklisted by search engines.
In addition, you should be aware that cleaning up a site that contains malicious code can be laborious, time-consuming and expensive. The time and effort you invest today will drastically reduce these risks.
Finally, note that one of the golden rules to protect your WordPress site is this: Be a little harder to hack than your neighbours! It’s certainly cynical, but true. A majority of attacks exploit known vulnerabilities and poorly or unsecured sites are the first victims.
1. Use a reliable web host
The first and probably most important step in protecting your WordPress site involves choosing a quality hosting provider. In addition to what you would normally expect from a hosting company (almost continuous server availability, 24/7 technical support, easy-to-use interface, etc.), security is also an essential aspect of this service.
Indeed, you should benefit from a free SSL certificate, regular scans of your server, help in case of a hack, but also the most recent versions of PHP, SQL, MariaDB, etc. In other words, the technologies used by WordPress must be up to date. Here are two reliable and secure hosts that offer all these services and more.
Kinsta is an excellent web hosting company, specialising in managed WordPress hosting, which means it is largely « done for you ». Renowned for its infrastructure that allows your site to load faster, this company offers the latest technology to host your WordPress site.
GreenGeeks, a cheaper alternative, is one of the good hosting companies of the moment. Their customer service is professional and efficient. They are constantly working to improve the security and technologies of their servers. With GreenGeeks, you manage your site yourself through cPanel.
2. Protect your WordPress site with an SSL certificate
An SSL certificate encrypts incoming traffic to your site and prevents it from being hijacked. This certificate uses the HTTPS protocol, a secure version of HTTP. An added benefit is that search engines, especially Google, give slight preference to sites that use this protocol.
Today, SSL certificates are free thanks to Let’s Encrypt, a certificate authority, and are most often installed with a few clicks from your host’s dashboard or cPanel. Kinsta and GreenGeeks, mentioned above, offer an SSL certificate issued by Let’s Encrypt.
On the other hand, if your web host does not provide an SSL certificate for free, you can secure your site using Cloudflare. Cloudflare is a Content Delivery Network (CDN). It has the double advantage of protecting your site from certain types of attacks, notably by installing an SSL certificate, and improving loading speed.
3. Install a security plugin
Another important step in protecting your site is to install a security plugin. There are several very good ones out there and you will need to choose the one that best suits your needs. Here are two of the most popular ones.
With several million installations, Wordfence is one of the must-have security plugins on WordPress.
Wordfence regularly scans your site at the server level and blocks attacks. It also has many features to enhance your site’s security (disabling XML-RPC, two-step authentication, reCAPTCHA) that make it a real Swiss army knife.
Sucuri is another, if not the other, go-to plugin for security on WordPress. It offers many of the same features as Wordfence, but acts in a different way. Traffic to your site is scanned and filtered in the cloud. Therefore, Sucuri removes attacks before they reach your site.
However, Sucuri does not offer the same features to strengthen your installation as Wordfence. If you choose Sucuri, you may need additional plugins to fill in these gaps.
4. Protect usernames
In WordPress, it’s easy to discover usernames, but Wordfence allows you to protect these from automated attacks. By accessing this URL in private browsing:
and replacing « example.com » with your site’s URL, you can check if automatic harvesting of your usernames is possible. If so, I recommend that you use Wordfence to protect them.
You should know that it is still possible to discover your username or those of your users, namely by accessing your site directly. However, most attacks are automated. Hiding your credentials will make them less effective. It’s a form of security by avoidance: you’re making it harder for hackers to do their job instead of providing them with all the elements they need.
So it’s essential to change the default « admin » username since that’s the one hackers will try right away. Do not use your site name or URL, either in reverse or in part. These variants are well-known and can be found in the databases used for brute force attacks. These consist of automated login attempts to guess username and password combinations.
Instead, choose a unique username that’s difficult to discover. This cannot be changed by default in WordPress, but you can still do the following to change it if your current username seems too simple.
Create a new user with a complex username. Log out of WordPress and log back in with the user you just created. Then delete your old user, making sure to assign all of its content to your new user.
Note that you will still have the ability to determine your display name, the one that appears when you post an article or reply to a comment, for instance.
5. Protect your WordPress site with complex passwords
Using unique and complex passwords is a crucial ingredient in protecting your WordPress site. The tool that allows you to accomplish this easily is a password manager. It encrypts and saves passwords so that you only have to remember a single one. The best-known managers are probably LastPass and 1Password, but others such as Bitwarden are also effective.
Here’s how to use LastPass
Note that since recording this video, LastPass is not free for use on multiple devices.
You can also use analog methods to remember your passwords. For example, you can write them down in a notebook in a way that is difficult to read (but don’t lose the notebook!) It doesn’t matter what the technique is, what matters is that they are unique, long and difficult to guess.
6. Disable XML-RPC
Some of the brute force attacks mentioned above use XML-RPC. This protocol is used to connect to WordPress remotely, but the WordPress REST API is gradually replacing it. In fact, most sites do not need XML-RPC and can block it.
You can easily disable it with Wordfence, but you can also do it in your .htaccess file by adding this piece of code.
# Disable xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all </Files>
Make sure that this addition doesn’t create any errors. If you are experiencing problems, you are probably using a plugin or theme that requires XML-RPC.
7. Enable multi-factor authentication
Multi-factor authentication is a good digital hygiene principle to adopt, not just in WordPress, but everywhere. It strengthens the security of your accounts by adding an extra layer of protection if your password is stolen or decrypted.
Wordfence contains a module that allows you to set up your login in two steps. You can also install the following plugin as an alternative to this Wordfence feature: WP 2FA.
After that, you will need your phone when you log in. You will also have the option of registering your device for 30 days and entering your authentication code only once a month.
8. Choose reliable themes
The structure of your WordPress site relies on your theme. It is imperative you choose one that is high-quality, well-coded, and regularly updated. Hackers are fond of outdated code since when they inspect it, they often find vulnerabilities to exploit.
There are many excellent themes out there, both free and paid. If you choose a paid theme, you will have updates and technical support. This is precisely what you’re buying. But free themes, especially those developed by the WordPress team, are good alternatives.
Here are some recommendations:
The Twenty Twenty-One theme should already be preinstalled with WordPress. You can customize it to fit your site’s needs.
Divi is a paid theme that offers many features that allow you to create complex elements, even if you don’t know how to code.
9. Choose reliable plugins
Your plugins are important. They need to be well structured and regularly maintained, i.e. updated. Stay away from those that haven’t been updated for several years and that appear to be discontinued. Their code may have vulnerabilities. As with themes, a bad actor could exploit these flaws.
Similarly, if the number of installations of a plugin is small, it may be of dubious quality. There are, of course, exceptions, such as new projects or good quality plugins that simply do not get the success they deserve.
As a general rule, the more well-known and used a plugin is, the more the development team can make a real business out of it; and therefore take the time and have the means to do a thorough job, but also to keep it up-to-date and secure.
10. Maintain your site regularly
If you spend time looking for a quality theme and reliable plugins that are regularly maintained, then you have to update them, otherwise your efforts will be wasted!
10.1 Make updates
It can be tricky to make updates, as they can sometimes « break » your site. Indeed, a new version of a plugin or theme can cause a compatibility issue and disfigure the appearance of your pages, or worse, lock you out of your dashboard. Which is why there is a process to follow which requires some preparation, but which will avoid unpleasant surprises in the long run.
First of all, I recommend that you create a staging site, in the form of a copy of your live site, to test your updates. Most hosting companies now offer this service with just a few clicks.
This copy allows you to not only check for updates of your themes and plugins, but also to experiment with new features you want to add or layouts you want to change.
Once you’ve done your testing and confirmed that no errors have occurred, you can update the online version, either manually or with a plugin. If something causes a problem, your live site won’t suffer. Note that Wordfence can notify you by email of available updates.
You also have the option of doing them automatically, which has risks and benefits. On the one hand, you may get a nasty surprise with a disfigured site after an update that creates an incompatibility; on the other hand, you will not have to perform this process manually. Any update can cause damage, even if WordPress, your plugins or your theme guarantee the opposite.
10.2 Perform automated backups
Making regular backups is necessary. If anything happens to your site, your computer or even your host, as was the case in the spring of 2021 at OVH, for example, your files and data are secured. Therefore, you won’t lose all your work.
The backups are easily done thanks to a plugin. To minimise risks of destruction, you should keep at least two copies on two different media and outside your server.
To automate this process, I recommend UpdraftPlus.
With this plugin, you can send your files to Google Drive, Dropbox, or the cloud. You can also upload them to your computer or an external hard drive, for example. You will then have three versions: your live site; a copy on a cloud storage; and an offline backup.
Digital security encompasses a set of principles to be implemented and then updated regularly. Finally, by applying any of the ten points above you can better protect your WordPress site.
Some of the processes are specific to WordPress, others are part of general prevention rules. In any case, every time you strengthen the security of your site, you decrease the chances of it being damaged or destroyed by a malicious attack.
Please feel free to ask me any questions in the comments.